YubiKey, best practices?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
bertilak
Posts: 10725
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

YubiKey, best practices?

Post by bertilak »

I just got a YubiKey (2, actually -- one for backup).

What are the best ways to use it? (I assume whatever setup I do, I will do twice, once for each key.)

Here are some specific questions, but I really want general advice. I am mostly listing these to demonstrate my general lack of understanding!
  1. Looking at it with the YubiKey Manager I see it has three applications: OTP, FIDO2, PIV. Do I care?
  2. Can I use it on my laptop to log into Windows? Will I still need to type in my Windows password or PIN? My goal is to log on to Windows without typing in a password or pin, assuming the YubiKey is inserted. If the key was in my pocket, anyone having only the laptop could not log on.
  3. How do I set it up for Vanguard?
  4. What other useful things can I do with it?
It seems I already have 2-factor authentication with the laptop: 1) the laptop itself, 2) the laptop's password,

I think I can figure out some of this by fiddling around but worry about messing things up and locking myself out permanently.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Scorpion Stare
Posts: 195
Joined: Wed Dec 22, 2021 9:15 am

Re: YubiKey, best practices?

Post by Scorpion Stare »

bertilak wrote: Fri Apr 15, 2022 1:26 pm Looking at it with the YubiKey Manager I see it has three applications: OTP, FIDO2, PIV. Do I care?
No, you don't need to know about these details. These are different ways that programmers can make their web sites/apps talk to your YubiKey. When you connect your key to a site like Vanguard, it will automatically use the appropriate method.
bertilak wrote: Fri Apr 15, 2022 1:26 pm Can I use it on my laptop to log into Windows? Will I still need to type in my Windows password or PIN? My goal is to log on to Windows without typing in a password or pin if the YubiKey is inserted. If the key was in my pocket, anyone having only the laptop could not log in.
https://www.yubico.com/products/computer-login-tools/ lists some options. It looks like passwordless login only works if you have an Active Directory account, so this may only be possible if your computer is managed by your employer or institution. For "local" accounts, you can use the YubiKey in addition to a password. If you log in with a "Microsoft Account" sign-in, you can't use the YubiKey.
bertilak wrote: Fri Apr 15, 2022 1:26 pm How do I set it up for Vanguard?
Follow the directions at https://investor.vanguard.com/security-center

Make sure to register both keys!
bertilak wrote: Fri Apr 15, 2022 1:26 pm What other useful things can I do with it?
You should also use it to protect your email account, if you use a service like Gmail that supports hardware keys.
User avatar
Elric
Posts: 731
Joined: Fri Dec 07, 2018 11:23 pm
Location: Virginia
Contact:

Re: YubiKey, best practices?

Post by Elric »

I use mine for two things: Lastpass login and Google accounts (including email). I'd use it for Schwab if they supported it, but they don't.
"No man is free who must work for a living." (Illya Kuryakin)
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: YubiKey, best practices?

Post by rebellovw »

Elric wrote: Fri Apr 15, 2022 1:45 pm I use mine for two things: Lastpass login and Google accounts (including email). I'd use it for Schwab if they supported it, but they don't.

Me too.

As far as I'm concerned - email and last pass both critical.

Both emails protected with key along with Advanced Google Security setup (using Yubikey)

Everything else is 2 FA via phone.

Other than that - I have like 5 backup keys - all duplicates to ensure I'm never w/o one. All our car keys have one on them - and one stashed away with instructions to access all my accounts should I perish.
User avatar
Topic Author
bertilak
Posts: 10725
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: YubiKey, best practices?

Post by bertilak »

Scorpion Stare wrote: Fri Apr 15, 2022 1:37 pm Follow the directions at https://investor.vanguard.com/security-center
I got "Security key service is temporarily unavailable. Please try again." first time. Seemed to work 2nd time.

Got the same error trying to register my 2nd key but this time a 2nd attempt did not succeed.

Not very encouraging! Do I really want to depend on this?

The registered key does work. I need to touch it to get through the logon.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
Topic Author
bertilak
Posts: 10725
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: YubiKey, best practices?

Post by bertilak »

Scorpion Stare wrote: Fri Apr 15, 2022 1:37 pm
bertilak wrote: Fri Apr 15, 2022 1:26 pm Can I use it on my laptop to log into Windows? Will I still need to type in my Windows password or PIN? My goal is to log on to Windows without typing in a password or pin if the YubiKey is inserted. If the key was in my pocket, anyone having only the laptop could not log in.
https://www.yubico.com/products/computer-login-tools/ lists some options. It looks like passwordless login only works if you have an Active Directory account, so this may only be possible if your computer is managed by your employer or institution. For "local" accounts, you can use the YubiKey in addition to a password. If you log in with a "Microsoft Account" sign-in, you can't use the YubiKey.
I think I use a Microsoft Account. It uses my email address and a password. I'm pretty sure it is not a local account. I believe it must be a Micrsoft Account as I use OneDrive which I access from my laptop and my phone.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
Topic Author
bertilak
Posts: 10725
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: YubiKey, best practices?

Post by bertilak »

bertilak wrote: Fri Apr 15, 2022 4:30 pm
Scorpion Stare wrote: Fri Apr 15, 2022 1:37 pm Follow the directions at https://investor.vanguard.com/security-center
I got "Security key service is temporarily unavailable. Please try again." first time. Seemed to work 2nd time.

Got the same error trying to register my 2nd key but this time a 2nd attempt did not succeed.

Not very encouraging! Do I really want to depend on this?

The registered key does work. I need to touch it to get through the logon.
I now have both Yubi keys registered with Vanguard, both working fine.

I THINK I know what my problem was -- you must give each key a name. I was trying to use names with a special character (dash), for example:

myyubikey-1
myyubikey-2

Using names without the dash worked. I don't know if this was random chance or if that was really the problem.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
Topic Author
bertilak
Posts: 10725
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: YubiKey, best practices?

Post by bertilak »

OK, I have Vanguard logon protected by YubiKey, but ...

That works fine from my laptop (YubiKey must be present and must be touched) but I can log on to Vanguard with my phone app and YubiKey is completely bypassed. This seems to me to be a big flaw. If I lose my phone anyone can access my Vanguard accounts. Yes, 2nd factor is still involved but it consists of seeing a code ON THE PHONE!

Am I missing something? Can I set things up differently?
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
otinkyad
Posts: 486
Joined: Wed Jun 01, 2016 5:35 pm

Re: YubiKey, best practices?

Post by otinkyad »

bertilak wrote: Mon Apr 18, 2022 11:08 am OK, I have Vanguard logon protected by YubiKey, but ...

That works fine from my laptop (YubiKey must be present and must be touched) but I can log on to Vanguard with my phone app and YubiKey is completely bypassed. This seems to me to be a big flaw. If I lose my phone anyone can access my Vanguard accounts. Yes, 2nd factor is still involved but it consists of seeing a code ON THE PHONE!

Am I missing something? Can I set things up differently?
There are lots of flaws and loopholes in the 2FA fabric, but it’s slowly getting better, and it’s still a good idea to use it where you can.

Preventing remote exploits and phishing are the main benefits of security keys. Personally, my phone has a passcode, so someone still needs my password, my security key or my phone, and if they have my phone they still need my passcode. I also turn off lock screen notifications when I’m traveling. (I should just turn them off all the time, but that’s where I’ve drawn the security/convenience line at the moment.)
User avatar
Topic Author
bertilak
Posts: 10725
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: YubiKey, best practices?

Post by bertilak »

otinkyad wrote: Mon Apr 18, 2022 4:35 pm
bertilak wrote: Mon Apr 18, 2022 11:08 am OK, I have Vanguard logon protected by YubiKey, but ...

That works fine from my laptop (YubiKey must be present and must be touched) but I can log on to Vanguard with my phone app and YubiKey is completely bypassed. This seems to me to be a big flaw. If I lose my phone anyone can access my Vanguard accounts. Yes, 2nd factor is still involved but it consists of seeing a code ON THE PHONE!

Am I missing something? Can I set things up differently?
There are lots of flaws and loopholes in the 2FA fabric, but it’s slowly getting better, and it’s still a good idea to use it where you can.

Preventing remote exploits and phishing are the main benefits of security keys. Personally, my phone has a passcode, so someone still needs my password, my security key or my phone, and if they have my phone, they still need my passcode. I also turn off lock screen notifications when I’m traveling. (I should just turn them off all the time, but that’s where I’ve drawn the security/convenience line at the moment.)
Allowing login from another device (e.g., smartphone) is one of those 2FA loopholes you speak of. I tried to plug this hole by setting the Vanguard security option: Don't allow logins from unknown devices nor from smart phones. (It's all one setting.)

That locked me out completely! Even from the laptop with the YubiKey. Turns out configuring to use YubiKey tells Vanguard to treat every device (even the one with a YubiKey) as an unknown device. Vanguard now would not let me log in with the laptop at all. Some sort of a catch-22 involved here. I had to call in to get things reset.

I decided Vanguard's default 2FA (secret code in SMS message to cell phone) provided just as much security and was much simpler. Any improvement in security is minimal (if any) and just a lot of trouble for legitimate use. It's all too complicated to even explain clearly.

Oh yes, none of this stuff affects Vanguard's phone app. You can log in with the app no matter what your 2FA settings are. Those only affect the web page, not the phone app. YubiKey leaves this open. When logged in with the app there is no access to the security settings. This is why I had to call in to get things reset.

So, I decided NOT to use the YubiKey.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
hudson
Posts: 7119
Joined: Fri Apr 06, 2007 9:15 am

Re: YubiKey, best practices?

Post by hudson »

bertilak wrote: Fri Apr 15, 2022 1:26 pm I just got a YubiKey (2, actually -- one for backup).

What are the best ways to use it? (I assume whatever setup I do, I will do twice, once for each key.)

Here are some specific questions, but I really want general advice. I am mostly listing these to demonstrate my general lack of understanding!
  1. Looking at it with the YubiKey Manager I see it has three applications: OTP, FIDO2, PIV. Do I care?
  2. Can I use it on my laptop to log into Windows? Will I still need to type in my Windows password or PIN? My goal is to log on to Windows without typing in a password or pin, assuming the YubiKey is inserted. If the key was in my pocket, anyone having only the laptop could not log on.
  3. How do I set it up for Vanguard?
  4. What other useful things can I do with it?
It seems I already have 2-factor authentication with the laptop: 1) the laptop itself, 2) the laptop's password,

I think I can figure out some of this by fiddling around but worry about messing things up and locking myself out permanently.
I think the Yubikey (or an equivalent if there is one) is the best available two factor identification at least for me.
The authentication apps come in second best
Two Factor Authentication by texts or phone calls come in third best but still good.
I use all three.

I use the Yubikey for Google, Vanguard, and ID.ME...which ties me into the IRS and other websites.

I need a regular USB Yubikey and backup
I also have a YubiKey 5C NFC which will fit into a USB-C port for Windows or Apple. It works on my Windows 10 desktop and my Apple Macbook Air.
The NFC means that it'll work wirelessly over an IPhone....or probably on the Macbook Air.

Sure the Yubikey is painful at times. I just grumble a little, give it 24 hours and go back at it. Currently, it's working well everywhere.

Bottom Line: Once you get it going, what's better?
Last edited by hudson on Tue Apr 19, 2022 4:45 am, edited 1 time in total.
otinkyad
Posts: 486
Joined: Wed Jun 01, 2016 5:35 pm

Re: YubiKey, best practices?

Post by otinkyad »

bertilak wrote: Mon Apr 18, 2022 6:53 pm So, I decided NOT to use the YubiKey.
Note that even if the 2FA settings don’t affect the app (and it’s hard to tell; some apps may check whether they’re installed on a phone with your registered phone number), it’s still more secure each time you use a security key instead of a security code to login, because you can’t be phished. Everything that limits exposure helps, and phishing is far more common than SIM swapping or, likely, even phone theft.
Novice2020
Posts: 85
Joined: Sat May 25, 2019 10:32 am

Re: YubiKey, best practices?

Post by Novice2020 »

rebellovw wrote: Fri Apr 15, 2022 4:07 pm
Elric wrote: Fri Apr 15, 2022 1:45 pm I use mine for two things: Lastpass login and Google accounts (including email). I'd use it for Schwab if they supported it, but they don't.

Me too.

As far as I'm concerned - email and last pass both critical.

Both emails protected with key along with Advanced Google Security setup (using Yubikey)

Everything else is 2 FA via phone.

Other than that - I have like 5 backup keys - all duplicates to ensure I'm never w/o one. All our car keys have one on them - and one stashed away with instructions to access all my accounts should I perish.
I was recently looking at Google Advanced Security Setup and they were pushing me to purchase two of their own keys (Titan), that appear to be competitors to Yubikey.

Does anyone have experience with these Google Titan keys versus Yubikey keys? Both with Gmail and with Vanguard?
Last edited by Novice2020 on Mon Apr 18, 2022 9:22 pm, edited 1 time in total.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: YubiKey, best practices?

Post by anon_investor »

Novice2020 wrote: Mon Apr 18, 2022 9:17 pm
rebellovw wrote: Fri Apr 15, 2022 4:07 pm
Elric wrote: Fri Apr 15, 2022 1:45 pm I use mine for two things: Lastpass login and Google accounts (including email). I'd use it for Schwab if they supported it, but they don't.

Me too.

As far as I'm concerned - email and last pass both critical.

Both emails protected with key along with Advanced Google Security setup (using Yubikey)

Everything else is 2 FA via phone.

Other than that - I have like 5 backup keys - all duplicates to ensure I'm never w/o one. All our car keys have one on them - and one stashed away with instructions to access all my accounts should I perish.
I was recently looking at Google Advanced Security Setup and they were pushing me to purchase two of their own keys, that appear to be competitors to Yubikey.

Does anyone have experience with these Google keys versus Yubikey keys?
Yubikeys work for Google accounts. Yubikeys are the gold standard. I don't know which brand Google pushes now, but it may not be as widely comptable as Yubikey.
otinkyad
Posts: 486
Joined: Wed Jun 01, 2016 5:35 pm

Re: YubiKey, best practices?

Post by otinkyad »

anon_investor wrote: Mon Apr 18, 2022 9:20 pm
Novice2020 wrote: Mon Apr 18, 2022 9:17 pm I was recently looking at Google Advanced Security Setup and they were pushing me to purchase two of their own keys, that appear to be competitors to Yubikey.

Does anyone have experience with these Google keys versus Yubikey keys?
Yubikeys work for Google accounts. Yubikeys are the gold standard. I don't know which brand Google pushes now, but it may not be as widely comptable as Yubikey.
The “advantage” of YubiKeys is that they support older and proprietary standards (OTP and YubiCo OTP). Vanguard and LastPass specifically require YubiKeys for that reason. Google only supports U2F and FIDO2, IIRC, which are also supported by recent YubiKeys.

Some people are also leery of Titan keys because they’re made in China. Google is leery of China and obviously OK with Titan keys, so I personally don’t worry about that.
otinkyad
Posts: 486
Joined: Wed Jun 01, 2016 5:35 pm

Re: YubiKey, best practices?

Post by otinkyad »

otinkyad wrote: Mon Apr 18, 2022 9:49 pm
anon_investor wrote: Mon Apr 18, 2022 9:20 pm
Novice2020 wrote: Mon Apr 18, 2022 9:17 pm I was recently looking at Google Advanced Security Setup and they were pushing me to purchase two of their own keys, that appear to be competitors to Yubikey.

Does anyone have experience with these Google keys versus Yubikey keys?
Yubikeys work for Google accounts. Yubikeys are the gold standard. I don't know which brand Google pushes now, but it may not be as widely comptable as Yubikey.
The “advantage” of YubiKeys is that they support older and proprietary standards (OTP and YubiCo OTP). Vanguard and LastPass specifically require YubiKeys for that reason. Google only supports U2F and FIDO2, IIRC, which are also supported by recent YubiKeys.

Some people are also leery of Titan keys because they’re made in China. Google is leery of China and obviously OK with Titan keys, so I personally don’t worry about that.
I never paid attention, and all the references here have been to YubiKeys, but Vanguard seems only to require a U2F-compatible key, not a YubiKey specifically (which is good, because Yubico OTP *is* phishable).
NDS
Posts: 78
Joined: Sun Dec 29, 2013 1:09 am

Re: YubiKey, best practices?

Post by NDS »

Yubikey to secure Google Voice / Mail, Google Voice number as 2fa sms for any site that doesn’t support anything but sms for 2fa
increment
Posts: 1735
Joined: Tue May 15, 2018 2:20 pm

Re: YubiKey, best practices?

Post by increment »

otinkyad wrote: Tue Apr 19, 2022 12:17 am I never paid attention, and all the references here have been to YubiKeys, but Vanguard seems only to require a U2F-compatible key, not a YubiKey specifically (which is good, because Yubico OTP *is* phishable).
I have never been able to get Vanguard to accept my Yubikey 5Ci. In the old days they had a list of acceptable hardware keys and the 5Ci was conspicuously absent. (Since that list disappeared from the site, I have been able to get them to accept the first-generation solokey, also absent from that list.)

On sites that allow it, you have to explicitly sign up for Yubico OTP; you don't have it enabled it just by signing up your Yubikey for U2F.
Finridge
Posts: 1096
Joined: Mon May 16, 2011 7:27 pm

Re: YubiKey, best practices?

Post by Finridge »

So after reading about YubiKeys here on this forum, I went ahead and got a couple.

Setting them up for use to access the Vanguard and Bank of America accounts via my computer was fast and easy. But some things I have learned:

- Fidelity does not support Yubikey. Rather, you an use a VPI Access app that is installed on a computer or phone--it generates a number every few seconds you can use. You can only use ONE device for this (either a computer or phone).

- At least on my Android smartphone, the Yubikey does NOT work with the Vanguard and BofA apps or in trying to access my Vanguard or BofA accounts via the phones Chrome or Firefox browsers. Looks like, at least for me, that the Yubikey can only used to access these accounts via a desktop or laptop computer. So I'm glad I got the keys that use the USB-A format and NOT the USB-C format. (I did get a adapters so the USB-A keys can be slotted into the USB-C interface on my Android phone--but I guess that was a waste of money and I will not be able to use this. Good thing it was only a few bucks.)

So my results have been mixed, but on the whole I think this was a good purchase. I'm going to be travelling overseas and will not be able to receive SMS messages (as I don't want to pay for an international plan). The Yubikeys will allow me to access my accounts, but only on my laptop. I guess I just won't be able to access the accounts using my phone.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: YubiKey, best practices?

Post by anon_investor »

Finridge wrote: Tue May 17, 2022 7:35 pm So after reading about YubiKeys here on this forum, I went ahead and got a couple.

Setting them up for use to access the Vanguard and Bank of America accounts via my computer was fast and easy. But some things I have learned:

- Fidelity does not support Yubikey. Rather, you an use a VPI Access app that is installed on a computer or phone--it generates a number every few seconds you can use. You can only use ONE device for this (either a computer or phone).

- At least on my Android smartphone, the Yubikey does NOT work with the Vanguard and BofA apps or in trying to access my Vanguard or BofA accounts via the phones Chrome or Firefox browsers. Looks like, at least for me, that the Yubikey can only used to access these accounts via a desktop or laptop computer. So I'm glad I got the keys that use the USB-A format and NOT the USB-C format. (I did get a adapters so the USB-A keys can be slotted into the USB-C interface on my Android phone--but I guess that was a waste of money and I will not be able to use this. Good thing it was only a few bucks.)

So my results have been mixed, but on the whole I think this was a good purchase. I'm going to be travelling overseas and will not be able to receive SMS messages (as I don't want to pay for an international plan). The Yubikeys will allow me to access my accounts, but only on my laptop. I guess I just won't be able to access the accounts using my phone.
With Vanguard AND BoA, you can use a Google Voice number to receive SMS 2FA. This could help you get around not receiving SMS overseas, since any SMS to your Google Voice can be set up to show up in your Gmail.
Finridge
Posts: 1096
Joined: Mon May 16, 2011 7:27 pm

Re: YubiKey, best practices?

Post by Finridge »

anon_investor wrote: Tue May 17, 2022 9:35 pm
Finridge wrote: Tue May 17, 2022 7:35 pm So after reading about YubiKeys here on this forum, I went ahead and got a couple.

Setting them up for use to access the Vanguard and Bank of America accounts via my computer was fast and easy. But some things I have learned:

- Fidelity does not support Yubikey. Rather, you an use a VPI Access app that is installed on a computer or phone--it generates a number every few seconds you can use. You can only use ONE device for this (either a computer or phone).

- At least on my Android smartphone, the Yubikey does NOT work with the Vanguard and BofA apps or in trying to access my Vanguard or BofA accounts via the phones Chrome or Firefox browsers. Looks like, at least for me, that the Yubikey can only used to access these accounts via a desktop or laptop computer. So I'm glad I got the keys that use the USB-A format and NOT the USB-C format. (I did get a adapters so the USB-A keys can be slotted into the USB-C interface on my Android phone--but I guess that was a waste of money and I will not be able to use this. Good thing it was only a few bucks.)

So my results have been mixed, but on the whole I think this was a good purchase. I'm going to be travelling overseas and will not be able to receive SMS messages (as I don't want to pay for an international plan). The Yubikeys will allow me to access my accounts, but only on my laptop. I guess I just won't be able to access the accounts using my phone.
With Vanguard AND BoA, you can use a Google Voice number to receive SMS 2FA. This could help you get around not receiving SMS overseas, since any SMS to your Google Voice can be set up to show up in your Gmail.
Yes, I have a Google Voice number that I use for both phone calls and text messages, and so this was what I was originally planning to do. But then I decided against it. The reason I decided against it is that if able to hack into my Google account, then they will have access to my Google Drive, all my emails, AND Google Voice. Too many eggs in one basket. And I wouldn't necessarily know if someone gained access to my Google account. For all I know someone maybe tapping into it right now and from a country on the other side of the world With my phone, if I physically have control of my phone, that is the only place the SMS messages are going. Unless they hijack my number via a SIM swap--but if they do that then my number stops working which will alert me.
Finridge
Posts: 1096
Joined: Mon May 16, 2011 7:27 pm

Re: YubiKey, best practices?

Post by Finridge »

This 10 minute video tutorial (see link below) on ways 2FA is hacked is fascinating and horrifying. From what it says, BOTH sms AND email-based 2FA should be avoided. Software apps like Google Authenticator are much better, but vulnerable to the phone being taken over.

So the YubiKey (and similar measures) end up looking like the best solutions.

I just wish I could get my YubiKey working on my android phone!



https://youtu.be/GexQHFt9fTE?t=472
Finridge
Posts: 1096
Joined: Mon May 16, 2011 7:27 pm

Re: YubiKey, best practices?

Post by Finridge »

But never mind. In looking into how my new Yubikeys work with Vanguard, I see a significant flaw. The Vanguard mobile app does not implement YubiKey at all. Not only that, but if I turn off security codes altogether, then while the website allows login in ONLY with the Yubikey, the mobile app just allows login via the user name and password and so does not provide ANY two factor authentication safeguard AT ALL. This is a major security hole.

To see just how bad this is, I borrowed another family member's tablet. It was not my device and didn't have the Vanguard mobile app installed. I installed the Vanguard mobile app, and then tried to login using it. I put in my user name and password, and after that, and in all fairness, the app did ask for the answer to a security question. Inputting that, it gave me full access to the account.

And looking at the various security questions you can choose, I am struck by how many of them are not very secure. Many of them can be found out in a few minutes by googling or accessing a genealogical database. And I'm embarrassed to report that the security question that I the app provided to me was one of those--something that anyone could have found out with 10-15 minutes of research on the web.

So I'm not sure of the point of using a YubiKey with Vanguard. I'd read in one of the threads here that Vanguard had changed their web site so that you could use only Yubikeys and not use security codes at all. But that really isn't the case if anyone with a phone or tablet can then access my account without a Yubikey or even any need to gain access to my phone number. I'm frankly shocked that there would be such a glaring security hole. I do not see any advantage to turning security codes off, even though they are vulnerable to a SIM swap attack--but the alternative seems to be worse. If you think I'm missing something, let me know.

One thing that I just did is go through all my security questions and change the answer from the "correct" answer to an arbitrary pass phrase--one that I can remember and that nobody can find out by knowing me or researching it.
Yarlonkol12
Posts: 974
Joined: Thu Apr 11, 2019 4:28 pm

Re: YubiKey, best practices?

Post by Yarlonkol12 »

I label my Yubikeys with colored stickers and I have a spreadsheet of which keys are used with which sites, (could use a password manager instead to track this). The reasoning is that if I lose one of them, I can work through the list to revoke access for the lost key and then add the replacement key to those sites

I also use "Advanced Security Program for my Google account" which means only Yubikey access, but they do allow 1 recovery email. I used my work email as a recovery email for my personal email account, just incase I lose all my keys. With Gmail and advanced security program enabled, the recovery email takes a few days to regain access to the account, and you get an email alert as well. While not ideal, I didn't want to risk being forever locked out of my gmail, and the built in 3 day delay makes it unlikely that another party using my work email could hijack my personal account
My posts are for entertainment purposes only.
Yarlonkol12
Posts: 974
Joined: Thu Apr 11, 2019 4:28 pm

Re: YubiKey, best practices?

Post by Yarlonkol12 »

Finridge wrote: Wed May 18, 2022 4:12 am But never mind. In looking into how my new Yubikeys work with Vanguard, I see a significant flaw. The Vanguard mobile app does not implement YubiKey at all. Not only that, but if I turn off security codes altogether, then while the website allows login in ONLY with the Yubikey, the mobile app just allows login via the user name and password and so does not provide ANY two factor authentication safeguard AT ALL. This is a major security hole.

To see just how bad this is, I borrowed another family member's tablet. It was not my device and didn't have the Vanguard mobile app installed. I installed the Vanguard mobile app, and then tried to login using it. I put in my user name and password, and after that, and in all fairness, the app did ask for the answer to a security question. Inputting that, it gave me full access to the account.

And looking at the various security questions you can choose, I am struck by how many of them are not very secure. Many of them can be found out in a few minutes by googling or accessing a genealogical database. And I'm embarrassed to report that the security question that I the app provided to me was one of those--something that anyone could have found out with 10-15 minutes of research on the web.

So I'm not sure of the point of using a YubiKey with Vanguard. I'd read in one of the threads here that Vanguard had changed their web site so that you could use only Yubikeys and not use security codes at all. But that really isn't the case if anyone with a phone or tablet can then access my account without a Yubikey or even any need to gain access to my phone number. I'm frankly shocked that there would be such a glaring security hole. I do not see any advantage to turning security codes off, even though they are vulnerable to a SIM swap attack--but the alternative seems to be worse. If you think I'm missing something, let me know.

One thing that I just did is go through all my security questions and change the answer from the "correct" answer to an arbitrary pass phrase--one that I can remember and that nobody can find out by knowing me or researching it.
Bank of America seems to work similar in my experience.

Few websites actually seem to "correctly" implement this, Google being the best example in my opinion of how to do it right
My posts are for entertainment purposes only.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: YubiKey, best practices?

Post by anon_investor »

Finridge wrote: Wed May 18, 2022 1:12 am
anon_investor wrote: Tue May 17, 2022 9:35 pm
Finridge wrote: Tue May 17, 2022 7:35 pm So after reading about YubiKeys here on this forum, I went ahead and got a couple.

Setting them up for use to access the Vanguard and Bank of America accounts via my computer was fast and easy. But some things I have learned:

- Fidelity does not support Yubikey. Rather, you an use a VPI Access app that is installed on a computer or phone--it generates a number every few seconds you can use. You can only use ONE device for this (either a computer or phone).

- At least on my Android smartphone, the Yubikey does NOT work with the Vanguard and BofA apps or in trying to access my Vanguard or BofA accounts via the phones Chrome or Firefox browsers. Looks like, at least for me, that the Yubikey can only used to access these accounts via a desktop or laptop computer. So I'm glad I got the keys that use the USB-A format and NOT the USB-C format. (I did get a adapters so the USB-A keys can be slotted into the USB-C interface on my Android phone--but I guess that was a waste of money and I will not be able to use this. Good thing it was only a few bucks.)

So my results have been mixed, but on the whole I think this was a good purchase. I'm going to be travelling overseas and will not be able to receive SMS messages (as I don't want to pay for an international plan). The Yubikeys will allow me to access my accounts, but only on my laptop. I guess I just won't be able to access the accounts using my phone.
With Vanguard AND BoA, you can use a Google Voice number to receive SMS 2FA. This could help you get around not receiving SMS overseas, since any SMS to your Google Voice can be set up to show up in your Gmail.
Yes, I have a Google Voice number that I use for both phone calls and text messages, and so this was what I was originally planning to do. But then I decided against it. The reason I decided against it is that if able to hack into my Google account, then they will have access to my Google Drive, all my emails, AND Google Voice. Too many eggs in one basket. And I wouldn't necessarily know if someone gained access to my Google account. For all I know someone maybe tapping into it right now and from a country on the other side of the world With my phone, if I physically have control of my phone, that is the only place the SMS messages are going. Unless they hijack my number via a SIM swap--but if they do that then my number stops working which will alert me.
You can secure your Gmail with a Yubikey.
Finridge
Posts: 1096
Joined: Mon May 16, 2011 7:27 pm

Re: YubiKey, best practices?

Post by Finridge »

anon_investor wrote: Wed May 18, 2022 5:39 am
You can secure your Gmail with a Yubikey.
This is a nice option and protects against SIM swap attacks, and I expect that if someone uses it to login every time they access Gmail or Google Drive it provides strong security. However, most people have these Google services already approved on all their computers and devices. Because we use these services constantly, almost nobody is willing to login to these services using credentials everytime they use them. So in most cases, if anyone can establish control remotely over a computer or device, they have access to Gmail.

Side note: I have the Yubico blue key. I got two for $25 each. I was able to configure it using the Yubico app to add a PIN number. After doing this, when I log into my Bank of America account, I have to enter the PIN to use the key. However, even with the same key, this does not happen with my Vanguard account--I can use the key without entering a PIN.

After taking my key and playing with different login options at Vanguard and Bank of America, and repeatedly logging in to both accounts using my computer and the mobile apps on my devices, I am left with a feeling of disappointment. At both institutions, the YubiKey does not secure access via mobile devices. Rather, they revert to codes sent by SMS.

So at this point, I regret purchasing the Yubikeys. I don't see them providing any real advantage over just using Google Voice. Maybe this will change in the future if these institutions better implement the technology. But the way they are implementing it now, they are leaving loopholes.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: YubiKey, best practices?

Post by anon_investor »

Finridge wrote: Wed May 18, 2022 12:55 pm
anon_investor wrote: Wed May 18, 2022 5:39 am
You can secure your Gmail with a Yubikey.
This is a nice option and protects against SIM swap attacks, and I expect that if someone uses it to login every time they access Gmail or Google Drive it provides strong security. However, most people have these Google services already approved on all their computers and devices. Because we use these services constantly, almost nobody is willing to login to these services using credentials everytime they use them. So in most cases, if anyone can establish control remotely over a computer or device, they have access to Gmail.

Side note: I have the Yubico blue key. I got two for $25 each. I was able to configure it using the Yubico app to add a PIN number. After doing this, when I log into my Bank of America account, I have to enter the PIN to use the key. However, even with the same key, this does not happen with my Vanguard account--I can use the key without entering a PIN.

After taking my key and playing with different login options at Vanguard and Bank of America, and repeatedly logging in to both accounts using my computer and the mobile apps on my devices, I am left with a feeling of disappointment. At both institutions, the YubiKey does not secure access via mobile devices. Rather, they revert to codes sent by SMS.

So at this point, I regret purchasing the Yubikeys. I don't see them providing any real advantage over just using Google Voice. Maybe this will change in the future if these institutions better implement the technology. But the way they are implementing it now, they are leaving loopholes.
One benefit of Yubikey is that I can leave a spare one in a safe, so if I lose access to your Google Voice (for whatever reason), you can still access your Vanguard account.
Finridge
Posts: 1096
Joined: Mon May 16, 2011 7:27 pm

Re: YubiKey, best practices?

Post by Finridge »

anon_investor wrote: Wed May 18, 2022 1:00 pm
Finridge wrote: Wed May 18, 2022 12:55 pm
anon_investor wrote: Wed May 18, 2022 5:39 am
You can secure your Gmail with a Yubikey.
This is a nice option and protects against SIM swap attacks, and I expect that if someone uses it to login every time they access Gmail or Google Drive it provides strong security. However, most people have these Google services already approved on all their computers and devices. Because we use these services constantly, almost nobody is willing to login to these services using credentials everytime they use them. So in most cases, if anyone can establish control remotely over a computer or device, they have access to Gmail.

Side note: I have the Yubico blue key. I got two for $25 each. I was able to configure it using the Yubico app to add a PIN number. After doing this, when I log into my Bank of America account, I have to enter the PIN to use the key. However, even with the same key, this does not happen with my Vanguard account--I can use the key without entering a PIN.

After taking my key and playing with different login options at Vanguard and Bank of America, and repeatedly logging in to both accounts using my computer and the mobile apps on my devices, I am left with a feeling of disappointment. At both institutions, the YubiKey does not secure access via mobile devices. Rather, they revert to codes sent by SMS.

So at this point, I regret purchasing the Yubikeys. I don't see them providing any real advantage over just using Google Voice. Maybe this will change in the future if these institutions better implement the technology. But the way they are implementing it now, they are leaving loopholes.
One benefit of Yubikey is that I can leave a spare one in a safe, so if I lose access to your Google Voice (for whatever reason), you can still access your Vanguard account.
Yes, after your email this morning, I did set up my keys to work with Google, so I can now use them to recover the account. I saw that several emails and phone numbers can already be used to recover the account if it is lost, but the keys can also be used for this, and maybe with these in place I can cut back on the other accounts that can bed used for recovery purposes. But--and you can call me cheap--but I'm not feeling like I'm getting that great a value from the keys. I was expecting more. I'm still surprised how I can't get them to work to access accounts using my mobile devices, and sort of hoping that I'm missing something and there is a way to do this if I look into it more.

(If anyone reading this is able to use a YubiKey on a mobile device for access to a Vanguard, or to another brokerage firm or bank, let me know...)
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: YubiKey, best practices?

Post by anon_investor »

Finridge wrote: Wed May 18, 2022 3:49 pm
anon_investor wrote: Wed May 18, 2022 1:00 pm
Finridge wrote: Wed May 18, 2022 12:55 pm
anon_investor wrote: Wed May 18, 2022 5:39 am
You can secure your Gmail with a Yubikey.
This is a nice option and protects against SIM swap attacks, and I expect that if someone uses it to login every time they access Gmail or Google Drive it provides strong security. However, most people have these Google services already approved on all their computers and devices. Because we use these services constantly, almost nobody is willing to login to these services using credentials everytime they use them. So in most cases, if anyone can establish control remotely over a computer or device, they have access to Gmail.

Side note: I have the Yubico blue key. I got two for $25 each. I was able to configure it using the Yubico app to add a PIN number. After doing this, when I log into my Bank of America account, I have to enter the PIN to use the key. However, even with the same key, this does not happen with my Vanguard account--I can use the key without entering a PIN.

After taking my key and playing with different login options at Vanguard and Bank of America, and repeatedly logging in to both accounts using my computer and the mobile apps on my devices, I am left with a feeling of disappointment. At both institutions, the YubiKey does not secure access via mobile devices. Rather, they revert to codes sent by SMS.

So at this point, I regret purchasing the Yubikeys. I don't see them providing any real advantage over just using Google Voice. Maybe this will change in the future if these institutions better implement the technology. But the way they are implementing it now, they are leaving loopholes.
One benefit of Yubikey is that I can leave a spare one in a safe, so if I lose access to your Google Voice (for whatever reason), you can still access your Vanguard account.
Yes, after your email this morning, I did set up my keys to work with Google, so I can now use them to recover the account. I saw that several emails and phone numbers can already be used to recover the account if it is lost, but the keys can also be used for this, and maybe with these in place I can cut back on the other accounts that can bed used for recovery purposes. But--and you can call me cheap--but I'm not feeling like I'm getting that great a value from the keys. I was expecting more. I'm still surprised how I can't get them to work to access accounts using my mobile devices, and sort of hoping that I'm missing something and there is a way to do this if I look into it more.

(If anyone reading this is able to use a YubiKey on a mobile device for access to a Vanguard, or to another brokerage firm or bank, let me know...)
You can't use YubiKey on Vanguard of BoA mobile apps. For your Google, I would remove emails/phone numbers are a recovery method, since those can be potentially hacked. I use authenticator apps and Yubikeys.
User avatar
K72
Posts: 440
Joined: Wed Dec 05, 2018 7:04 pm

Re: YubiKey, best practices?

Post by K72 »

anon_investor wrote: Wed May 18, 2022 3:58 pm For your Google, I would remove emails/phone numbers are a recovery method, since those can be potentially hacked. I use authenticator apps and Yubikeys.
Do you mean a combination of authenticator app and Yubikeys to protect the gmail account? I didn't know that was even possible. Not sure how account recovery would work in case your phone was run over by a truck or otherwise lost.
All we want are the facts...
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: YubiKey, best practices?

Post by anon_investor »

K72 wrote: Wed May 18, 2022 5:42 pm
anon_investor wrote: Wed May 18, 2022 3:58 pm For your Google, I would remove emails/phone numbers are a recovery method, since those can be potentially hacked. I use authenticator apps and Yubikeys.
Do you mean a combination of authenticator app and Yubikeys to protect the gmail account? I didn't know that was even possible. Not sure how account recovery would work in case your phone was run over by a truck or otherwise lost.
The account can be recovered with either a code from an authenticator app OR multiple Yubikeys.
Finridge
Posts: 1096
Joined: Mon May 16, 2011 7:27 pm

Re: YubiKey, best practices?

Post by Finridge »

K72 wrote: Wed May 18, 2022 5:42 pm
anon_investor wrote: Wed May 18, 2022 3:58 pm For your Google, I would remove emails/phone numbers are a recovery method, since those can be potentially hacked. I use authenticator apps and Yubikeys.
Do you mean a combination of authenticator app and Yubikeys to protect the gmail account? I didn't know that was even possible. Not sure how account recovery would work in case your phone was run over by a truck or otherwise lost.
Not a bad idea. And I wish Vanguard would do this--allow a combination of an authenticator app and Yubikeys for any and all access. Rather than using codes when login is from a mobile device.
tm3
Posts: 774
Joined: Wed Dec 24, 2014 6:16 pm

Re: YubiKey, best practices?

Post by tm3 »

Finridge wrote: Wed May 18, 2022 12:55 pm
anon_investor wrote: Wed May 18, 2022 5:39 am
You can secure your Gmail with a Yubikey.
This is a nice option and protects against SIM swap attacks, and I expect that if someone uses it to login every time they access Gmail or Google Drive it provides strong security. However, most people have these Google services already approved on all their computers and devices. Because we use these services constantly, almost nobody is willing to login to these services using credentials everytime they use them. So in most cases, if anyone can establish control remotely over a computer or device, they have access to Gmail.

So at this point, I regret purchasing the Yubikeys.
Those are good points and ones that I have not seen discussed in the threads that I have found about 2FA and specifically Yubikeys.

I'm still trying to understand exactly how the security/convenience trade off plays out in daily use with Yubikey to secure email and other accounts.

Seems to me that the safest practice is to completely log out, and then back in, to email and password manager on each device every time either is used. In thinking through this, I realize that I check email at different times and for different reasons on 4 devices: desktop, laptop, phone, iPad. That is a lot of completely logging in and out, but provides the most security.

The alternative is (and correct me if I am wrong) to tell Yubikey at setup that the device is "trusted" so the key is not required at every login on that device. Thus an online hacker won't be able to access the accounts from his computer as he lacks the Yubikey, but the robber who steals the iPhone (and forces me at gunpoint to unlock it for him) has access to email or whatever as he now has a "trusted device" in hand.

Am I understanding the options correctly?
Post Reply